Ugggg. Should I just put tapatalk back in?

[Digital Doctor]

I had tapatalk installed for a few years, and just recently removed it for security and privacy concerns.

i hope so xenforo will develop your own app

Xenforo is getting an app.
https://xenforo.com/community/threads/native-xenforo-app-in-development.109044/

 

[rdn]

Xenforo is getting an app.
https://xenforo.com/community/threads/native-xenforo-app-in-development.109044/

Important note: This App is not an official XenForo product.

 

[Wildcat Media]

Important note: This App is not an official XenForo product.

My sentiments exactly. (And no offense to the developers. It's just not suitable for our forums.)

 

[Wildcat Media]

Mobile design is the way to go for the future as it allows full functionality, not a crappy cut-down experience. Besides, users don't want lots of different apps just to access the various forums they participate in. And don't kid yourself that there can be 'one app to rule them all', Tapatalk has shown that's not the case, all you get is limited functionality as it's the lowest common denominator.

Well all I can say is that after the initial complaints after the removal of Tapatalk, my users have embraced responsive design (and appreciated the addition of UI.X as the style for the forum). They now like the fact that they aren't limited in what they can access on the forums. I even added push notifications with an add-on but most said they didn't need it. I haven't lost any forum users and none have asked for Tapatalk to be returned or another app installed. So to say that most Tapatalk users want a cut down experience is untrue as is that most forum users want an app rather than good responsive design.

That is pretty much our experience also, across a handful of forums. We still get mild hints that they don't like how it renders in a browser on mobile but on the other hand, the whining about Tapatalk has pretty much died up. When it comes up, we simply tell them something along this theme:

I had tapatalk installed for a few years, and just recently removed it for security and privacy concerns. Several of my members want it back, and have threatened to limit their participation. The xenforo theme is responsive, and works better than an app IMO. After pushing the mobile version on them, they seem to like it. I had no idea about the xenpush, so I'll check it out. If they limit their participation, so be it. I prefer security over convenience.

In short, I will never compromise my forum's data, my server's security, or my members' privacy with that festering pile of crap called tapatalk. When a member asks, we simply point out the numerous security and privacy issues, and that ends the discussion right there. End users don't know what we do as admins.

I will say that those who still use it, deserve whatever happens in terms of security and privacy. The tapatalk system is inherently flawed, a wide open back door that they patch up with duct tape any time there's a major breach, and hope it wont break again. Support is awful, and their dealings with monetization are highly dishonest (and good luck contacting them when you want your money owed--I had to get a third party involved to start the dialog to get several hundred dollars they were sitting on, as nobody would ever answer me).

Forums everywhere are dying a slow death--and have been for years. Why hasten the demise of yours by pulling a feature that keeps people on?

I don't know about dying a slow death--just about every forum I run and visit is seeing solid growth. And we saw not a single drop in participation when we pulled tapatalk from all of our sites. If anything, participation improved since members could now use all forum functions, rather than use the kludge that is tapatalk. We have seen solid growth, both in membership numbers and number of posts per day, since dumping our older forum systems for XF.

And if you consider this--keeping a known add-on that is a privacy and security hole, and not doing anything about it, is asking for trouble. Then after a forum has had a major breach and everyone leaves out of mistrust, that will kill a forum faster than pulling a poorly-designed app.

 

[Steve Freides]

An "off canvas menu" offered by some of the 3rd party style frameworks is a nice mobile optimization: https://pixelexit.com/threads/1-5-updates-off-canvas-menu-and-more.2720/#post-13413

I am clearly _way_ behind on any of this. Here's what I know; perhaps you folks can tell me what I don't know or at least what to read.

We moved from a WP forum to XF three months ago. I admin the XF forum; I was a participant but not an admin of the WP-based forum.

An outside developer handled the move and, along with the move, created a color scheme that matches that of the WP web site (which continues as it was before the move). When I go into Preferences -> Style, I get two choices: default and the custom one. I prefer and therefore use the XF default "style." The outside developer is still around, very helpful but now mostly working on a new version of the web site. He is who I go to for installation of an add-on, etc.

That's it, all I know on the subject of what my XF forum looks like. What is a "third party style framework," what is a "canvas" and therefore what is an "off-canvas menu?" Maybe even what is a "style" in XF?

Thanks in advance.

-S-

 

[n00bsaibot]

Off canvas means not on screen. You swipe them in from the left like an intuitive mobile app. Styles can be found in the resource section below. You can play with demos and read feature descriptions.

https://xenforo.com/community/resources/categories/styles.29/

 

[Martok]

Audentio styles such as UI.X and Flat Awesome from PixelExit have off-canvas menus.

 

[tapatalk]

In short, I will never compromise my forum's data, my server's security, or my members' privacy with that festering pile of crap called tapatalk. When a member asks, we simply point out the numerous security and privacy issues, and that ends the discussion right there. End users don't know what we do as admins.

I will say that those who still use it, deserve whatever happens in terms of security and privacy. The tapatalk system is inherently flawed, a wide open back door that they patch up with duct tape any time there's a major breach, and hope it wont break again. Support is awful, and their dealings with monetization are highly dishonest (and good luck contacting them when you want your money owed--I had to get a third party involved to start the dialog to get several hundred dollars they were sitting on, as nobody would ever answer me).

I don't know about dying a slow death--just about every forum I run and visit is seeing solid growth. And we saw not a single drop in participation when we pulled tapatalk from all of our sites. If anything, participation improved since members could now use all forum functions, rather than use the kludge that is tapatalk. We have seen solid growth, both in membership numbers and number of posts per day, since dumping our older forum systems for XF.

And if you consider this--keeping a known add-on that is a privacy and security hole, and not doing anything about it, is asking for trouble. Then after a forum has had a major breach and everyone leaves out of mistrust, that will kill a forum faster than pulling a poorly-designed app.

Guys - we want to set the record straight - I agree with you that forums is still striving with or without Tapatalk, as we do see solid growth in user and user activities. However we don't agree that we are "not doing anything" about keeping the add-on as safe as possible. There was a privacy concerns when we launched the email newsletter program (which has been sunset exactly due to privacy concerns). We have full Privacy Policy, Site Owner License Agreement, End User License Agreement in place, the launch partner with Google for their App Indexing program, and Yahoo with their Native Ads program. We very much believe having a transparent policy and clear communication is the most important thing we want to do.

For security issue - there is absolutely no security issue that is reported that is not addressed. We have a Bounty program in HackerOne to encourage white-hat hacker to report issues to us (and to be rewarded too). If you can point us if there is any issue we are not addressed, that is reproducible, we will take immediately action to resolve them.

Just like any Add-on or forum system, there is always issues (we had fair-share of XSS and other security issues discovered before) - but I do believe we are making excellent record in past many months that covers 10 forum systems with over 150,000 sites running great without any security breaches. I reckon that nothing is perfect and at the same time we understand there is trust issue when installing a comprehensive add-on like this.

I would encourage everyone to check our our implementation for this forum system (and beyond), we are confident that the investment we made in adding talent engineers / security expert that this is something as secure as the forum system it is running.

If you can point us some solid fact / code that shows the design is "flawed", has "wide open back door" and "security breach", we will do every effort to clarify, debate, resolve and make it great for forum enthusiasts.

Check out our recent updates at http://blog.tapatalk.com.

Thanks and happy to discuss and clarify.

- Winter - creator of Tapatalk

 

[vbresults]

@tapatalk the way TT is integrated shifts an immense amount of risk onto the forum. You go directly to the database instead of tailoring to each forum platform. It's not a small task to accomplish the proper integration. That said, this means Tapatalk itself is the "wide open back door".

Simply put, if a forum is running TT, the hacker doesn't need to exploit a hole in the forum. They just need to exploit TT for that platform and they get access to the forum automatically. There are very few, if zero, add-ons that come close to circumventing the forum's regular functions like Tapatalk does.

Suggestion is to more tightly integrate TT with the platform, while working with the forum companies [or third party developers] to produce an API with limited access if there isn't already one, then build on that. In 95% of cases, TT should not need more access to data than the visiting user, limited exceptions -- if that's followed 95% of possible TT exploits go poof.

 

[tapatalk]

I work with Winter and focus on monetization and support and wanted to address issues that were raised in those two areas.

We introduced monetization through ads a couple of years ago, and making sure everyone knows how much they are earning, and paying out the earnings on time has always been a priority. In the Tapatalk Dashboard you can login and see impressions, CPM and earnings daily, with a estimation of monthly earnings. We have a table with all paid and pending earnings, and we have always made payments within 45 days of month end. If anyone has any issue with payments or earnings they can always contact me.

Over the past couple of years we have increased the number of people in support and established a support ticketing system. You can also visit our support boards to look at response team on posts. We always have room for improvement, but I think of level of support over recent months has been very good.

Eric

 

[0ptima]

If anyone has any issue with payments or earnings they can always contact me.

Since multiple people are using the "tapatalk" account on xenforo.com, it would be helpful if Eric's contact info was made available or at least inform us on how to contact him directly.

 

[tapatalk]

If you have an issue or question regarding monetization or payments, the best way to contact me is to login to your Tapatalk Dashboard, and file a Support Ticket. When completing the ticket, select Payment/Monetization from the drop down , and the case is immediately assigned to me.

Alternatively, you can also post on the Tapatalk Support board, or send me a PM through Tapatalk support to Eric S.

Hope that helps.

 

[SneakyDave]

Fool me twice, shame on me.

 

[tapatalk]

@tapatalk the way TT is integrated shifts an immense amount of risk onto the forum. You go directly to the database instead of tailoring to each forum platform. It's not a small task to accomplish the proper integration. That said, this means Tapatalk itself is the "wide open back door".

Simply put, if a forum is running TT, the hacker doesn't need to exploit a hole in the forum. They just need to exploit TT for that platform and they get access to the forum automatically. There are very few, if zero, add-ons that come close to circumventing the forum's regular functions like Tapatalk does.

Hi,

There is no single "direct" SQL calls to database from the plugin code at all. There is no hand-crafted SQL call from our code except there are 4 SQL calls to a table we created / managed for Push Notifications service. There is no "circumventing" as everything are based on either the forum system API, or DB wrapper classes.

The rule of thumb is that if the forum system provides the API / function calls that can achieve the same result - we most certainly use them as it is much easier for us to maintain (e.g. the code won't break if forum system upgrade). If there is no direct API / functions available, our second choice is to use the DB wrapper class provided by the forum system. In case of xenForo (since this forum is obviously talking about xF), it is actually doing a fairly decent job in providing the necessary plumbing to achieve what the App needs to do, and in most case, the app only need a subset of the features from the web version. For examples, our code do not touch on the AdminCP API at all for security precaution.

As you said this is not a small task to accomplish, but it doesn't mean it cannot be accomplished, and automatically it means "wide open back door". We have accomplished this and accomplished this on multiple forum systems with dedicated engineers just doing one thing which is to make the plugin as secure as possible.

I understand there are perception of code quality and integration as there is high expectation when installing a comprehensive add-on like this. And as you have mentioned it is no small tasks. And the journey was rocky when forum owners and end users are demanding many things at the same time. But I personally believe it is the best effort any third-party developer can do. And I would admire any developers if they can read every line of our code to tell us what else we can do better - and we strive to do better and make it as secure, if not more secure (hey we reported couple of XSS issues to couple of forum systems when we were building the plugins) than the forum system itself. Last week, we reported couple of issues to vBulletin engineers of PHP7 related issues as part of our automated tests.

In some cases, we work directly with the forum system creator and their engineers. For example we work directly with Woltlab Burning Board (the biggest forum system in Germany) engineer to improve the plugin, we work with XDA (arguably the busiest vBulletin forum on the internet) system admin to identify issues and improve performance.

In 95% of cases, TT should not need more access to data than the visiting user, limited exceptions -- if that's followed 95% of possible TT exploits go poof.

Yes that's correct. It does not need access more than the visiting user and it is what we are doing today.

I sincerely you to consider to take back your statement of Tapatalk is a "wide open back door" - there are many more customers who are using the Tapatalk API to build their own app, their own widgets etc and it is important for us to defense against this accusation.

Sorry for the long post guys - I just feel it is important to clarify what we do and how we do it. I myself is also a software engineer and I feel it is very important to communicate this on behalf of the plugin team as they work around time clock to make the forum great again on mobile (app). We love what we are doing and we are just fortunate to be able to work on this project.

Thanks!

- Winter

 

[jauburn]

And we saw not a single drop in participation when we pulled tapatalk from all of our sites. If anything, participation improved since members could now use all forum functions, rather than use the kludge that is tapatalk.

Sounds like a tenuous connections between cause and effect.

Nevertheless, I sympathize with anyone who wants to get rid of this thing.

 

[OakleyForum]

I've had the exact same issues with members complaining since disabling it - we still have the app enabled but do not formally support it.

Looking forward to using Slavik's mobile app in the future fully integrated with XF

 

[vbresults]

@tapatalk Winter, mirroring what I said in the official thread, I was basing a lot of what I said on the vB TT code I looked at when dealing with multiple clients, I got a look at the XenForo code and it actually doesn't look half bad... there are other issues but this is a start.

 

[Pierce]

If i continued to promote tapatalk the returns on the BYO are so low they don't even pay for the app which is crazy. This isnt the fault of tapatalk but if theres no revenue stream to support the app then how can i justify having an app? The xenforo responsive design in 1.5.x has been awesome to a point that having an app doesn't make sense.